Hello
Deployed a CHR with GNS3 to test it alongside with few connected hosts (Ubuntu and GNS3 VPCS).
Updated to the latest long-term ROS
Trying to implement a simple firewall and everything is working except
It is expected behaviour - the DHCP server uses raw sockets which receive this traffic before it reaches the IP firewall
Understood.
Could you point me to a document (if exists) about this behavior on Mikrotik’s website?
Big thanks!
It is not Mikrotik specific, it likely affects most linux-based systems.
With BOOTP, and subsequently DHCP, a client sends requests to UDP port 67 on a server, and the server sends responses to the client using UDP port 68 - AFAIK this methodology was to prevent messages being inappropriately rebroadcast. As this is not the usual behaviour for a typical UDP socket()/bind()/recvfrom()/sendto() it requires DHCP/BOOTP servers to utilise raw sockets and craft the necessary IP & UDP headers.
I can’t recall if you can block traffic these packets reaching the Mikrotik DHCP server under /ip firewall raw or if you have to resort to putting the interface in a bridge and using /interface bridge filter rules.